Silent cyber risk concerns decline after 2018 spike

We’re pleased to share the results summary for the 2019 Willis Re survey that assesses the potential for coverage of cyber-related losses.

Our latest market survey about silent cyber exposure — potential cyber-related losses arising from coverage under insurance policies not specifically designed to cover cyber risk – shows the perception of risk levels among respondents dropping considerably from 2018 for all commercial lines of business and industry groups. This might be because there
were no wide-scale cyber events that impacted the prior 12 months, unlike at the time of the 2018 survey when the NotPetya and WannaCry malware events of the previous year were still fresh in everyone’s collective memory. It might also reflect progress made by insurers in mitigating their silent cyber exposures.

In 2019, the third annual edition of the survey, our sample
continued to represent a broad industry cross section of over
600 respondents from claims, underwriting, legal, broking
and analytics backgrounds. The split of industry experience
was 32% with 10 years or less, and 68% with 11 years or more
(Figure 1), a slight increase for respondents newer to the
industry compared with 2018 when the split was 28% and 72%.

As we did in our 2018 survey, this year we started with
five lines of commercial business: property, other liability
(excluding professional liability), workers compensation,
errors and omissions (E&O), and directors and officers (D&O).
Once again, we analyzed results by industry. This year, we
added a question about whether a commercial account’s size
influences perceived risk and also revived the 2017 survey
question about silent cyber risk in personal lines homeowners
and auto classes of business.

Figure 1. Respondent profile by industry experience

What the numbers mean

The survey assesses the extent to which the cyber aspect of exposure could increase the likelihood of a covered claim in the next 12 months. Based on the available range of responses — 0% (no additional claims due to cyber) to 100% (as many cyber-related claims as non-cyber-related claims) — we convert these into a cyber risk factor. For example, 1.01 denotes one additional cyber-related claim for every 100 non-cyber-related claims, and 1.5 represents one additional cyber-related claim for every two non-cyber-related claims.

Results by insurance line and account size

Across all the commercial lines surveyed, perceived cyber exposure has dropped significantly since the 2018 survey.

In property, the percentage of respondents rating the risk
as greater than 1.01 has decreased by 26 percentage points
since 2018 and even 11 percentage points since 2017 (Figure
2). Of note here, other liability is now broadly perceived
as more vulnerable to cyber risk than property. While the
percentage of respondents rating the risk for other liability as
greater than 1.01 has decreased since 2018, at 22 percentage
points this was more muted than property. Furthermore, in
contrast to property, respondents viewed the risk for other
liability as five percentage points higher in 2019 than it was in
2017. This could be attributed to headline data breach losses
that continued to occur in 2018, such as Marriott, which may
be perceived to lead to more third-party claims. Conversely,
there were no headline ransomware or malware attacks in
2018, which may be perceived to lead to more first-party
claims. In the remaining workers compensation class, where
the perceived risk was already low compared with other
insurance lines, the percentage opting for greater than 1.01
fell from 32% to 20%, returning to the same level as 2017.

Comparative data for 2017 is not available for E&O and
D&O, but the same significant reduction in perceived cyber
exposure is evident between 2018 and 2019 (Figure 3). The
percentage of respondents rating the risk as greater than
1.01 decreased by 22 percentage points for E&O and 25
percentage points for D&O.

The drop in perceived exposure is also evident at higher levels of risk factor. This trend is most pronounced in E&O, D&O and property, where 15% to 18% fewer respondents think the risk factor for cyber is 1.10 or greater today than in 2018. Relatively speaking, other liability is now viewed as more exposed than property to risk factors of 1.10 or greater, reversing the results in 2018 and 2017 when property was viewed as more exposed to risk factors at these levels. Interestingly, the one exception to the reduction in perceived risk is at the most extreme end of the spectrum where the percentage of respondents who think the risk is 2.00 increased in every line between 2018 and 2019. Although the numbers remain small, the most sizable increase occurred in property where the percentage rose from 1% to 1.9%. This trend extends back to 2017 for property, other liability and workers compensation.

As a footnote to Figures 2 and 3, the perceived risk also depends on the size of account. When compared against a commercial lines portfolio comprising accounts of all sizes, 48% of respondents believe the cyber risk factor for large accounts should be increased by one or more levels (for example, from 1.01 to 1.02 and above), while 44% of respondents believe the cyber risk factor should be reduced by a corresponding amount for small accounts.

In the personal lines classes (Figure 4), while the overall
risk levels are seen as lower than most commercial lines
(greater than 1.01 for 27% of respondents for homeowners
and 24% of respondents for auto), they are still perceived as
more vulnerable to cyber risk than workers compensation,
arguably reflecting the increasing levels of technology now
in use in homes and vehicles. This view is supported by the
increased perception of risk since the 2017 survey when 18%
of respondents for homeowners and 17% of respondents for
personal auto thought the risk level was greater than 1.01.

Results by industry group

The level of perceived cyber risk by industry is lower in 2019 across the board, in line with the overall results (Figures 5 and 6).

The reductions in perceived risk by industry are most pronounced in the commercial property line of business. In 2018, over 50% of respondents thought the cyber risk factor was more than 1.01 in all nine industry groups. In 2019, no industry group met that threshold – down even from 2017 when both IT/Utilities/Telecoms and Financial Services exceeded the threshold (Figure 5). The same trends are also evident in industry groups for other liability, although less pronounced.

Figure 5a. Cyber risk factor by industry, property

Figure 5b. Cyber risk factor by industry, other liability

Similarly, in the D&O class, only Financial Services (58%) and IT/Utilities/Telecoms (53%) are now perceived as carrying a risk greater than 1.01 by more than half of respondents, whereas all industry groups scored 60% or higher (84% in the case of Financial Services) on this measure in 2018 (Figure 6). Again, the same industry group trend is evident in E&O, although it is more muted.

IT/Utilities/Telecoms is still perceived as the most vulnerable industry group to cyber risk (percentage of responses greater than 1.01) for property and other liability for each of 2017, 2018 and 2019, and the same goes for Financial Services for D&O and E&O for 2018 and 2019.

Comparable trends are also apparent at higher levels of risk factor. Only Financial Services and IT/Utilities/Telecoms in the E&O class are still rated as carrying a risk factor greater than 1.10 by more than 20% of respondents. This contrasts with the 2018 results when elevated concerns about the level of cyber risk were commonplace across most industries. In comparing 2017 with 2019, the reduction in perceived levels of risk factor by industry group is much more pronounced for property than it is for other liability.

Related Insights

Opinions about the relative risk that accompanies various industry groups in specific lines of business remain broadly unchanged. On a relative basis, IT/Utilities/Telecoms is still perceived as the most vulnerable industry group to cyber risk (percentage of responses greater than 1.01) for property and other liability for each of 2017, 2018 and 2019, and the same goes for Financial Services for D&O and E&O for 2018 and 2019. The one notable change in comparative vulnerability is Retail/Hospitality for both property and other liability. In 2017 and 2018, Retail/Hospitality was perceived as eighth most vulnerable out of nine industry groups in both lines of business, but in 2019 it rose to fourth out of nine in both lines, possibly reflecting the growing number of cyber losses impacting the Retail/Hospitality sector.

Figure 6a. Cyber risk factor by industry, D&O liability

Figure 6b. Cyber risk factor by industry, E&O liability

Outlook and next steps

Market concerns about silent cyber have declined notably over the past year, and this is particularly evident in property. It will be interesting to see if 2018 was indeed a spike and whether the market is more sanguine about exposure, or whether a new cyber event rekindles the heightened concern that was evident in the responses to our last survey. It will also be interesting to see what impact new data privacy laws, which are due to be introduced in 2020 in states including California, have on market perception. In the meantime, over the coming months, we will use the data from our 2019 survey to update and better parameterize the silent cyber module of our PRISM-Re cyber model to assist Willis Re clients in keeping up to date when they assess this hard-to-quantify, but potentially significant, exposure. We also plan to repeat our survey in early 2020 to see how market perception has evolved.

Download

Contact

In 2017 and 2018, Retail/Hospitality was perceived as eighth most vulnerable out of nine industry groups in both lines of business, but in 2019 it rose to fourth out of nine in both lines, possibly reflecting the growing number of cyber losses impacting the Retail/Hospitality sector.